Hackers use Weaponized Microsoft Teams Installer to Compromise Systems With Oyster Malware
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A sophisticated malvertising campaign is using fake Microsoft Teams installers to compromise corporate systems, leveraging poisoned search engine results and abused code-signing certificates to deliver the Oyster backdoor<\/a> malware.<\/p>\n The attack was neutralized by Microsoft Defender\u2019s Attack Surface Reduction (ASR) rules, which blocked the malware from establishing contact with its command-and-control server.<\/p>\n The multi-stage attack highlights an increasing trend of threat actors using legitimate services to appear trustworthy and evade traditional security measures.<\/p>\n By using short-lived, valid code-signing certificates<\/a>, the attackers were able to bypass initial signature-based detection and trick systems into trusting the malicious software.<\/p>\n Conscia\u2019s forensic investigation revealed a rapid and automated attack sequence that began with a simple web search.<\/p>\n On September 25, 2025, an employee\u2019s search on Bing for Microsoft Teams led to a malicious redirect. Within just 11 seconds of the initial search, the user was funneled from This rapid redirection points to an automated process, likely driven by a malvertising campaign or a poisoned search engine result that placed the malicious link high in the search rankings.<\/p>\n The domain Roughly an hour later, the file was executed. Although it appeared to be a legitimate installer, it was in fact the Oyster malware. The attack was only stopped when Microsoft Defender\u2019s ASR rules detected and blocked the malware\u2019s attempt to connect to its C2 server at The core of this campaign\u2019s sophistication lies in its abuse of code-signing certificates. The malicious executable was signed by a seemingly legitimate entity named \u201cKUTTANADAN CREATIONS INC.\u201d using a certificate that was valid for only two days, from September 24 to 26, 2025.<\/p>\n This emerging tactic allows threat actors to:<\/p>\n Conscia research uncovered<\/a> other similar short-lived certificates used by signers like \u201cShanxi Yanghua HOME Furnishings Ltd,\u201d suggesting a larger, well-orchestrated operation.<\/p>\n This incident was neutralized before any data could be exfiltrated or further payloads like ransomware could be deployed. The successful prevention demonstrates that traditional security measures are no longer sufficient. Trust in digital certificates cannot be absolute, and organizations must deploy advanced endpoint protection.<\/p>\n Had the ASR rules not been in place, the Oyster backdoor<\/a> (also known as Broomstick or CleanUpLoader) would have established persistent access to the compromised system. This would have enabled the attackers to conduct data theft, deploy additional malware, and move laterally across the network.<\/p>\n Key lessons from this attack are clear: attackers are evolving their use of legitimate system tools (\u201cliving-off-the-land<\/a>\u201c), certificate trust is being actively weaponized, and the speed of automated attacks requires robust, behavior-based security controls like ASR to prevent a compromise that can occur in seconds.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers use Weaponized Microsoft Teams Installer to Compromise Systems With Oyster Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nOyster Malware Via Microsoft Teams Installer<\/strong><\/h2>\n
bing.com<\/code> through a redirect domain (team.frywow.com<\/code>) to a malicious site, teams-install.icu<\/code>.<\/p>\nteams-install.icu<\/code> was designed to spoof a legitimate Microsoft download page and was hosted on Cloudflare to further mask its malicious intent. Once the user landed on the page, a file named MSTeamsSetup.exe<\/code> was downloaded. <\/p>\nnickbush24.com<\/code>.<\/p>\n\n